This document describes how to configure the Cisco Secure PIX Firewall
in a site-to-site IPSec VPN with overlapping private network addresses behind
VPN gateways. The enhanced Network Address Translation (NAT) feature introduced
in PIX 6.2 is used in this example to translate the overlapping networks on
each side of the IPSec VPN tunnel to non-overlapping address spaces.

The information in this document is based on these software and
hardware versions:

Cisco Secure PIX Firewall 506 with software version 6.3(3)

VPN 3030 Concentrator with software version 4.1(5)

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

Both Private_LAN1 and Private_LAN2 have an IP subnet of 192.168.4.0/24.
This simulates the overlapping address space behind each side of the IPSec
tunnel. The VPN 3000 Concentrator is used here as one example of a concentrator
which does not have the functionality of NAT over VPN traffic.

In this example, the PIX performs a bi-directional translation so that
the two private LANs can communicate over the IPSec tunnel. The translation
means that Private_LAN1 "sees" Private_LAN2 as 10.1.1.0/24 through the IPSec
tunnel, and Private_LAN2 "sees" Private_LAN1 as 20.1.1.0/24 through the IPSec
tunnel.

For the destination address 20.1.1.0 /24 (Private_LAN1) you need to
have a static route on the VPN 3000. To do, select Configuration >
System > IP Routing > Static Routes and choose
Add. Once you are done filling out the fields, click
Add.

Use the settings in these images to configure your VPN 3000
Concentrator.